Lecture CCNA security partner - Chapter 11: Intrusion Prevention Systems

Intrusion Prevention Systems © 2012 Cisco and/or its affiliates. All rights reserved. 1 Contents This chapter describes the functions and operations of intrusion detection systems (IDS) and intrusion prevention systems (IPS). • The fundamentals of intrusion prevention, comparing IDS and IPS • The building blocks of IPS, introducing the underlying technologies and deployment options • The use of signatures in intrusion prevention, highlighting the benefits and drawbacks • The need for IPS alarm monitoring, evaluating the options for event managers • Analyzing the design considerations in deploying IPS © 2012 Cisco and/or its affiliates. All rights reserved. 2 IPS Fundamentals Introducing IDS and IPS : • Targeted, mutating, stealth threats are increasingly difficult to detect. • Attackers have insidious motivations and exploit high-impact targets, often for financial benefit or economic and political reasons • Attackers are taking advantage of new ways of communication IDS: • Analyzes copies of the traffic stream • Does not slow network traffic • Allows some malicious traffic into the network IPS: • Works inline in real time to monitor Layer 2 through Layer 7 traffic and content • Needs to be able to handle network traffic © 2012 Cisco and/or its affiliates. All rights reserved. 3 • Prevents malicious traffic from entering the network IDS and IPS technologies • IDS and IPS technologies share several characteristics: • IDS and IPS technologies are deployed as sensors.An IDS or an IPS sensor can be any of the following devices: • A router configured with Cisco IOS IPS Software • An appliance specifically designed to provide dedicated IDS or IPS services • A network module installed in a Cisco adaptive security appliance, switch, or router • IDS and IPS technologies typically monitor for malicious activities in two spots: • Network: • Hosts: • IDS and IPS technologies use signatures to detect patterns of misuse in network traffic • IDS and IPS technologies look for the following general patterns of © 2012 Cisco and/or its affiliates. All rights reserved. 4 Intrusion Detection System • An IDS monitors traffic offline and generates an alert (log) when it detects malicious traffic including: – Reconnaissance attacks – Access attacks – Denial of Service attacks • It is a passive device because it analyzes copies of the traffic stream traffic. – Only requires a promiscuous interface. – Does not slow network traffic. – Allows some malicious traffic into the network. © 2012 Cisco and/or its affiliates. All rights reserved. 5 ... - tailieumienphi.vn